oadmin/sub2api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
7582dc53d2dccbe4ae093209361c2fd3f6df5f21
sub2api/Makefile
yangjianbo d7011163b8 fix: 修复代码审核发现的安全和质量问题 
安全修复(P0):
- 移除硬编码的 OAuth client_secret(Antigravity、Gemini CLI),
  改为通过环境变量注入(ANTIGRAVITY_OAUTH_CLIENT_SECRET、
  GEMINI_CLI_OAUTH_CLIENT_SECRET)
- 新增 logredact.RedactText() 对非结构化文本做敏感信息脱敏,
  覆盖 GOCSPX-*/AIza* 令牌和常见 key=value 模式
- 日志中不再打印 org_uuid、account_uuid、email_address 等敏感值

安全修复(P1):
- URL 验证增强:新增 ValidateHTTPURL 统一入口,支持 allowlist 和
  私网地址阻断(localhost/内网 IP)
- 代理回退安全:代理初始化失败时默认阻止直连回退,防止 IP 泄露,
  可通过 security.proxy_fallback.allow_direct_on_error 显式开启
- Gemini OAuth 配置校验:client_id 与 client_secret 必须同时
  设置或同时留空

其他改进:
- 新增 tools/secret_scan.py 密钥扫描工具和 Makefile secret-scan 目标
- 更新所有 docker-compose 和部署配置,传递 OAuth secret 环境变量
- google_one OAuth 类型使用固定 redirectURI,与 code_assist 对齐

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 09:58:13 +08:00

26 lines
571 B
Makefile
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.PHONY: build build-backend build-frontend test test-backend test-frontend secret-scan
# 一键编译前后端
build: build-backend build-frontend
# 编译后端(复用 backend/Makefile
build-backend:
@$(MAKE) -C backend build
# 编译前端(需要已安装依赖)
build-frontend:
@pnpm --dir frontend run build
# 运行测试(后端 + 前端)
test: test-backend test-frontend
test-backend:
@$(MAKE) -C backend test
test-frontend:
@pnpm --dir frontend run lint:check
@pnpm --dir frontend run typecheck
secret-scan:
@python3 tools/secret_scan.py
Reference in New Issue View Git Blame Copy Permalink